From 5ecd8d6a434f97da94daef2f59166086fbaf5a6b Mon Sep 17 00:00:00 2001
From: DanConwayDev <DanConwayDev@protonmail.com>
Date: Fri, 9 Jan 2026 17:04:06 +0000
Subject: feat: implement state event authorization per GRASP-01 spec

Add comprehensive authorization checks to ensure state events are only
accepted from maintainers of accepted repository announcements. This
implements the core GRASP-01 requirement that pushes must match the
latest state announcement "respecting the maintainer set."

Changes:

1. StatePolicy authorization (src/nostr/policy/state.rs):
   - Check authorization BEFORE git data validation (fail-fast)
   - Reject if no announcement exists for repository
   - Reject if author not in maintainer set
   - Use existing helpers: fetch_repository_data() and
     pubkey_authorised_for_repo_owners()
   - Structured logging for all rejections

2. Purgatory invalidation (src/nostr/builder.rs):
   - New method: check_purgatory_state_events_for_identifier()
   - Called when announcements accepted (Accept and AcceptMaintainer)
   - Re-evaluates state events in purgatory for the identifier
   - Processes newly-authorized events (releases from purgatory)
   - Keeps unauthorized events for natural expiry (30 min)
   - Enables retroactive authorization when announcements arrive late

3. Purgatory sync authorization (src/git/sync.rs):
   - Check authorization BEFORE processing git data
   - Remove unauthorized events from purgatory (permanent rejection)
   - Prevents processing even if git data arrives first
   - Structured logging for monitoring

4. Rejected events tracking (src/sync/rejected_index.rs):
   - Add support for tracking rejected state events
   - New methods: add_state(), contains_state()
   - Separate metrics for state rejections
   - Enables sync to avoid re-fetching rejected states

5. Sync metrics (src/sync/metrics.rs, src/sync/mod.rs):
   - Add state-specific metrics (hot cache, cold index)
   - Track rejected states separately from announcements
   - Support monitoring of authorization rejections

6. Comprehensive tests (tests/state_authorization.rs):
   - test_reject_state_without_announcement
   - test_reject_state_from_unauthorized_author
   - test_accept_state_from_announcement_author
   - test_accept_state_from_maintainer

Security Impact:
- Before: State events could be published by anyone
- After: Only maintainers can publish state events
- Defense-in-depth: Authorization checked at 3 points:
  1. On arrival (StatePolicy)
  2. On announcement acceptance (purgatory re-evaluation)
  3. On git data arrival (purgatory sync)

All tests pass:
- 248 unit tests
- 51 NIP-34 announcement tests
- 4 new state authorization tests
- 9 rejected index tests

Closes: State authorization requirement from GRASP-01 spec
---
 src/nostr/policy/state.rs | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

(limited to 'src/nostr/policy')

diff --git a/src/nostr/policy/state.rs b/src/nostr/policy/state.rs
index acb76a3..d26b5ec 100644
--- a/src/nostr/policy/state.rs
+++ b/src/nostr/policy/state.rs
@@ -78,6 +78,46 @@ impl StatePolicy {
         // Get all repositories and state events from db with identifier
         let db_repo_data = fetch_repository_data(&self.ctx.database, &state.identifier).await?;
 
+        // CRITICAL: Check if author is authorized via maintainer set
+        // State events MUST be rejected if author is not in maintainer set of any accepted announcement
+        if db_repo_data.announcements.is_empty() {
+            tracing::warn!(
+                event_id = %event.id,
+                identifier = %state.identifier,
+                author = %event.pubkey.to_hex(),
+                "Rejecting state event: no announcement exists for this repository"
+            );
+            return Ok(WritePolicyResult::Reject {
+                status: false,
+                message: "invalid: no announcement exists for this repository".into(),
+            });
+        }
+
+        let authorized_owners =
+            crate::git::authorization::pubkey_authorised_for_repo_owners(&event.pubkey, &db_repo_data);
+        
+        if authorized_owners.is_empty() {
+            tracing::warn!(
+                event_id = %event.id,
+                identifier = %state.identifier,
+                author = %event.pubkey.to_hex(),
+                announcements_count = db_repo_data.announcements.len(),
+                "Rejecting state event: author not in maintainer set of any announcement"
+            );
+            return Ok(WritePolicyResult::Reject {
+                status: false,
+                message: "invalid: author not authorized for this repository".into(),
+            });
+        }
+
+        tracing::debug!(
+            event_id = %event.id,
+            identifier = %state.identifier,
+            author = %event.pubkey.to_hex(),
+            authorized_for_owners = ?authorized_owners,
+            "State event author authorized via maintainer set"
+        );
+
         // Duplicate check in db
         if db_repo_data.states.iter().any(|e| e.event.id.eq(&event.id)) {
             tracing::debug!("processed state event duplicate (in db): {}", event.id);
-- 
cgit v1.2.3